The first two fields avoid exposing the cookie over HTTP, which could give attackers an opportunity to read the cookie. When a hacker is able to read the session-cookie, they can impersonate themselves as your account, and log into your site. This is obviously a security risk.

The remaining settings are optional, but give better security. A clickjacking site for instance, tries show your site in an iframe, and overlay an element to catch user input.

2. Nginx configuration

Just adding SSL settings to Nginx is not enough. To get an A+ score in the SSL test you need to configure the SSL ciphers properly. There are various combinations, this is an example:

Please verify these cipher settings against the current SSL test suite, it's possible you may need other ciphers in the future. The dhparam file is needed to give a higher key exchange for the DH-ciphers. Generate this file using:

/usr/bin/openssl dhparam -out /etc/ssl/private/dhparam.pem 4096

It takes a few minutes to generate this file!

3. Updating content

When making sites SSL-only, modern browsers will no longer allow "mixed content". This can effect staff users that write content for the website. For example, when embedding a YouTube video, the URL should use the https:// protocol prefix. Browsers won't load the video otherwise. You can also use // as prefix, so browsers pick the current protocol automatically.

Bonus: you can add Content Security Policy headers to limit the domains for images, scripts, iframes that can be embedded.